CattleGrid News
WHOSE FLAG PROTECTS YOU?
US Law vs Chinese Law — And the Kicker Few Know About
A Series of 9 Posts
Prepared 05-03-2026
Contents
1. Two Flags, One Problem — Why Neither Superpower Is Safe for European Data
2. The Warrant vs The Obligation — How Each Government Reaches Your Data
3. FISA Section 702 — The Surveillance Programme That Europe Cannot Ignore
4. China’s Seven Laws — The Cage That No Contract Can Open
5. The Adequacy Illusion — Why the Data Privacy Framework Doesn’t Solve the Problem
6. The Uncomfortable Similarities — What the US and China Actually Have in Common
7. Encryption — The One Technical Measure That Might Change the Equation
8. Then Canada Blew It All Up — The OVH Case and the Death of Data Residency
9. Whose Flag Protects You? — None of Them
Post 1: Two Flags, One Problem — Why Neither Superpower Is Safe for European Data
When European businesses evaluate AI providers, the conversation usually goes like this:
“We can’t use Chinese providers, too risky. Let’s go with an American one.”
That instinct is understandable. But it skips a critical question: is the American alternative actually safe for European data? Or is it just less obviously dangerous?
Over the next 8 posts, I’m going to compare US and Chinese data access laws side by side. I’ll be honest about the differences, they are real and they matter. China’s system is more opaque, more coercive, and more sweeping than the American equivalent. They are not the same.
But here’s the uncomfortable conclusion this series will reach: neither system is compatible with genuine European data sovereignty. The CLOUD Act gives the US government the legal authority to compel any US company to hand over European data, regardless of where that data is stored. No amount of contractual language, no Standard Contractual Clause, and no adequacy framework changes that underlying legal reality.
The EU–US Data Privacy Framework is a political compromise, not a technical guarantee. It has already survived one predecessor’s invalidation by the CJEU. Privacy advocates expect it to face a third challenge. And even while it stands, it does not prevent CLOUD Act warrants from being served.
The question for European businesses is not “US or China?” It’s “How do we protect our data regardless of whose flag flies over the provider?”
This is post 1 of 9 in a series on why no foreign legal framework is compatible with genuine European data protection.
#datasecurity #compliance #GDPR #dataprivacy #CLOUDACT #datasovereignty #riskmanagement
References:
European Commission, EU–US Data Privacy Framework Adequacy Decision (10 July 2023)
CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
US Department of Justice, CLOUD Act Resources
https://www.justice.gov/criminal/cloud-act
Verified References
1. European Commission, EU–US Data Privacy Framework Adequacy Decision (10 July 2023)
2. CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
3. US Department of Justice, CLOUD Act Resources
https://www.justice.gov/criminal/cloud-act
Post 2: The Warrant vs The Obligation — How Each Government Reaches Your Data
The mechanics of government data access differ significantly between the US and China. Understanding the difference matters — not because one is acceptable, but because the risks require different mitigation strategies.
In the United States, the CLOUD Act requires a warrant issued by an independent federal judge, based on probable cause that a specific crime has occurred and that the data contains evidence of it. The warrant must describe with particularity what is to be searched. The target company can challenge it by filing a motion to quash. Companies including Microsoft have done exactly this.
In China, there is no equivalent process. Article 7 of the National Intelligence Law requires “all organisations and citizens” to cooperate with intelligence work. No warrant. No judge. No probable cause. No mechanism to challenge. And the Supreme People’s Court has explicitly rejected judicial independence as a Western concept.
So the US system is better? In process, yes. Meaningfully. But here is the part that matters for European businesses: the CLOUD Act warrant can compel a US company to produce data stored in London, Frankfurt, or Dublin. The warrant is served on the company, not on a European court. No European judge reviews it. No European regulator is notified. Your data leaves European jurisdiction through a legal mechanism you have no visibility into and no power to contest.
Better process does not mean safe process. It means the risk is more structured, more predictable, and more amenable to mitigation — but it is still there.
This is post 2 of 9.
#datasecurity #CLOUDACT #compliance #GDPR #china #dataprivacy #datasovereignty
References:
BSA, “What Is the CLOUD Act?” (August 2025)
https://www.bsa.org/files/policy-filings/08192025bsacloudact.pdf
Cross-Border Data Forum, “Frequently Asked Questions about the US CLOUD Act”
Congressional Research Service, “Cross-Border Data Sharing Under the CLOUD Act”
https://www.congress.gov/crs-product/R45173
Mannheimer Swartling, “Applicability of Chinese National Intelligence Law” (2019)
Applicability of Chinese National Intelligence Law to Chinese and non-Chinese Entities
Verified References
1. BSA, “What Is the CLOUD Act?” (August 2025)
https://www.bsa.org/files/policy-filings/08192025bsacloudact.pdf
2. Cross-Border Data Forum, “Frequently Asked Questions about the US CLOUD Act”
3. Congressional Research Service, “Cross-Border Data Sharing Under the CLOUD Act”
https://www.congress.gov/crs-product/R45173
4. Mannheimer Swartling, “Applicability of Chinese National Intelligence Law” (2019)
Applicability of Chinese National Intelligence Law to Chinese and non-Chinese Entities
Post 3: FISA Section 702 — The Surveillance Programme That Europe Cannot Ignore
The CLOUD Act is not the only US law that should concern European businesses. FISA Section 702 is arguably the bigger problem.
Section 702 of the Foreign Intelligence Surveillance Act authorises US intelligence agencies to conduct warrantless surveillance of non-US persons located outside the United States. Read that again: non-US persons. That means European citizens. Their communications can be collected, stored, and queried without any individual warrant.
The programme operates under annual certification by the Foreign Intelligence Surveillance Court, but individual targets do not require judicial approval. When the NSA collects under Section 702, communications involving US persons are incidentally captured too. Until the 2024 reforms, agencies could query this database using US person identifiers without a warrant. An amendment to require warrants failed in the House by a tied 212–212 vote.
Section 702 was reauthorised in April 2024 for just two years. It sunsets again in April 2026. The debate is ongoing and public, which is more than can be said for China’s equivalent capabilities. But the programme’s existence is precisely why the CJEU struck down two successive EU–US data transfer frameworks: Safe Harbor in 2015 and Privacy Shield in 2020.
Executive Order 14086 was designed to patch the gap. It introduced proportionality requirements and a redress mechanism. But it is an executive order — not legislation. A future president can revoke it. And European data collected under Section 702 is still collected under Section 702, regardless of what any executive order says about safeguards.
This is post 3 of 9.
#FISA #datasecurity #surveillance #privacy #GDPR #dataprivacy #datasovereignty
References:
Congressional Research Service, “FISA Section 702 and the 2024 Reforming Intelligence and Securing America Act”
https://www.congress.gov/crs-product/R48592
EPIC, “FISA Section 702: Reform or Sunset”
https://epic.org/campaigns/fisa-section-702-reform-or-sunset
European Parliament, “First reactions to Executive Order 14086”
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739261/EPRS_BRI(2022)739261_EN.pdf
US Department of Justice, Office of Privacy and Civil Liberties — Executive Order 14086
https://www.justice.gov/opcl/executive-order-14086
Verified References
1. Congressional Research Service, “FISA Section 702 and the 2024 Reforming Intelligence and Securing America Act”
https://www.congress.gov/crs-product/R48592
2. EPIC, “FISA Section 702: Reform or Sunset”
https://epic.org/campaigns/fisa-section-702-reform-or-sunset
3. European Parliament, “First reactions to Executive Order 14086”
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739261/EPRS_BRI(2022)739261_EN.pdf
4. US Department of Justice, Office of Privacy and Civil Liberties — Executive Order 14086
https://www.justice.gov/opcl/executive-order-14086
Post 4: China’s Seven Laws — The Cage That No Contract Can Open
If the US system is a structured risk, China’s is an unmanageable one.
Since 2014, China has enacted at least seven major laws that collectively give the government sweeping authority to access any data held by any Chinese company. The National Intelligence Law (2017) creates a blanket cooperation obligation. The Cybersecurity Law (2017) mandates data localisation and technical assistance. The Cryptography Law (2020) gives the state access to commercial encryption keys. The Data Security Law (2021) imposes government security reviews. The Counter-Espionage Law (2014) compels cooperation with investigations. The Personal Information Protection Law (2021) regulates companies — but exempts the government.
Three features make this system categorically different from anything in Western law.
First: personal obligations. Article 7 binds individual citizens, not just companies. Every Chinese engineer working at any Chinese company is personally bound by this law, wherever they are.
Second: mandatory secrecy. A Chinese company served with a request under the NIL cannot tell you. Cannot tell its board. Cannot tell its European customers. The DHS Data Security Business Advisory confirmed that Chinese firms are “required to secretly share data.”
Third: undefined scope. China’s NIL covers “intelligence work” — deliberately undefined. It can encompass economic intelligence, trade secrets, and strategic competitive information. There is no limiting principle.
The US system has genuine problems. China’s system is those problems without any of the constraints.
This is post 4 of 9.
#datasecurity #china #compliance #dataprivacy #encryption #cybersecurity #riskmanagement
References:
US Department of Homeland Security, “Data Security Business Advisory” (22 December 2020)
https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf
Lawfare, Tanner, “Beijing’s New National Intelligence Law: From Defense to Offense” (2017)
https://www.lawfaremedia.org/article/beijings-new-national-intelligence-law-defense-offense
Skadden, “China’s New Data Security and Personal Information Protection Laws” (November 2021)
China Law Translate, National Intelligence Law full text
https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017
Verified References
1. US Department of Homeland Security, “Data Security Business Advisory” (22 December 2020)
https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf
2. Lawfare, Tanner, “Beijing’s New National Intelligence Law: From Defense to Offense” (2017)
https://www.lawfaremedia.org/article/beijings-new-national-intelligence-law-defense-offense
3. Skadden, “China’s New Data Security and Personal Information Protection Laws” (November 2021)
4. China Law Translate, National Intelligence Law full text
https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017
Post 5: The Adequacy Illusion — Why the Data Privacy Framework Doesn’t Solve the Problem
In July 2023, the European Commission granted the US an adequacy decision under the EU–US Data Privacy Framework. The UK followed with a data bridge. Many businesses treated this as the green light: problem solved, transfers to US companies are fine now.
It is not that simple.
The DPF is the third attempt at an EU–US data transfer framework. Safe Harbor was struck down by the CJEU in 2015. Privacy Shield was struck down in 2020. Both were invalidated because the Court found that US surveillance law, specifically FISA Section 702, did not provide protections “essentially equivalent” to EU law.
The DPF rests on Executive Order 14086, which introduced proportionality requirements and a Data Protection Review Court. But EO 14086 is an executive order, not an Act of Congress. It can be revoked or amended by any sitting president without congressional approval. Privacy campaigner Max Schrems has already indicated he intends to challenge the framework, and the European Parliament passed a resolution expressing concern that it may not survive judicial scrutiny.
And here is the fundamental issue the DPF does not resolve: the CLOUD Act. Even under the DPF, a US company served with a CLOUD Act warrant must comply. The warrant overrides any contractual arrangement with a European customer. CMS Law’s February 2026 analysis confirmed that European data residency is “not a silver bullet when it comes to avoiding the reach of the US CLOUD Act.”
The DPF makes transfers lawful under GDPR. It does not make your data unreachable by US authorities. Those are very different things.
This is post 5 of 9.
#GDPR #dataprivacy #CLOUDACT #compliance #datasovereignty #dataprotection #datasecurity
References:
CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
European Parliament, “First reactions to Executive Order 14086”
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739261/EPRS_BRI(2022)739261_EN.pdf
Fieldfisher, “EO 14086 and the EU–US Data Privacy Framework” (November 2022)
https://www.fieldfisher.com/en/insights/eo-14086-and-the-eu-us-data-privacy-framework
European Commission, EU–US Data Privacy Framework
Verified References
1. CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
2. European Parliament, “First reactions to Executive Order 14086”
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739261/EPRS_BRI(2022)739261_EN.pdf
3. Fieldfisher, “EO 14086 and the EU–US Data Privacy Framework” (November 2022)
https://www.fieldfisher.com/en/insights/eo-14086-and-the-eu-us-data-privacy-framework
4. European Commission, EU–US Data Privacy Framework
Post 6: The Uncomfortable Similarities — What the US and China Actually Have in Common
It is easier to focus on the differences. But intellectual honesty requires acknowledging the structural similarities between US and Chinese data access law. There are more than the American technology industry would like to admit.
Both claim extraterritorial jurisdiction. The CLOUD Act compels US companies to produce data regardless of where it is stored, including in the EU and UK. China’s National Intelligence Law applies to Chinese citizens and organisations wherever they operate. Both override the data sovereignty preferences of the countries where data physically resides.
Both override contractual obligations. If your contract with a US provider says data will only be processed in the EU, a CLOUD Act warrant overrides that clause. If your contract with a Chinese provider is governed by English law, Chinese intelligence legislation overrides those obligations too.
Both have been found wanting by European courts. The CJEU struck down two successive EU–US frameworks. Italy banned a Chinese AI provider. Ireland fined another €530 million for transfers to China. European institutions have expressed concern about both systems.
Both create an irreconcilable conflict for European companies. UK GDPR requires that you ensure data is protected to an equivalent standard when transferred internationally. Neither US nor Chinese law can provide that guarantee, because both reserve the right to access that data unilaterally, overriding any protection you’ve put in place.
The scale of oversight differs enormously. But the fundamental conflict is the same: a foreign government claims authority over data that European law says is yours.
This is post 6 of 9.
#datasecurity #CLOUDACT #GDPR #dataprivacy #compliance #datasovereignty #china
References:
eucrim, “Unpacking the CLOUD Act”
https://eucrim.eu/articles/unpacking-cloud-act
Irish DPC, TikTok Decision (2 May 2025)
CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
Verified References
1. eucrim, “Unpacking the CLOUD Act”
https://eucrim.eu/articles/unpacking-cloud-act
2. Irish DPC, TikTok Decision (2 May 2025)
3. CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
Post 7: Encryption — The One Technical Measure That Might Change the Equation
If neither legal framework is safe, is there a technical answer? Partially. And it comes down to who holds the encryption keys.
The CLOUD Act is explicitly “encryption neutral.” It does not create any authority for US law enforcement to compel service providers to decrypt data or build backdoors. If data is end-to-end encrypted and only you hold the keys, a CLOUD Act warrant cannot force the provider to produce it in readable form. This is confirmed by the Wiley Rein analysis of the US–UK Data Access Agreement.
China’s Cryptography Law takes the opposite approach. The State Cryptography Administration can demand complete access to commercial encryption systems, including keys and passwords. The DHS confirmed the SCA has “full access to decryption keys, passwords, and any other information needed to access data on a commercially encrypted server.”
This is the one area where the difference between US and Chinese law creates a genuinely different risk mitigation strategy. With US providers, customer-managed encryption keys are a meaningful technical safeguard. With Chinese providers, they are not, because the Chinese state may already hold the keys.
But encryption is not a complete solution for US providers either. Many cloud services require access to unencrypted data to function. AI APIs by definition process the content you send them. You cannot encrypt a prompt sent to an AI model and still get a useful response. The model must see your data in plaintext.
This is why data sanitisation, removing sensitive information before it leaves your infrastructure, is the only approach that works regardless of which superpower’s legal system you’re dealing with.
This is post 7 of 9.
#encryption #datasecurity #cybersecurity #compliance #CLOUDACT #datasovereignty #dataprivacy
References:
Wiley Rein LLP, “The CLOUD Act Data Access Agreement — 10 Things Companies Need to Know”
US Department of Homeland Security, “Data Security Business Advisory” (2020)
https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf
Lawfare, “The U.K.–U.S. Data Access Agreement” (June 2025)
https://www.lawfaremedia.org/article/the-u.k.-u.s.-data-access-agreement
Verified References
1. Wiley Rein LLP, “The CLOUD Act Data Access Agreement — 10 Things Companies Need to Know”
2. US Department of Homeland Security, “Data Security Business Advisory” (2020)
https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf
3. Lawfare, “The U.K.–U.S. Data Access Agreement” (June 2025)
https://www.lawfaremedia.org/article/the-u.k.-u.s.-data-access-agreement
Post 8: Then Canada Blew It All Up — The OVH Case and the Death of Data Residency
For seven posts, this series has focused on the US and China. That’s where everyone’s attention is. That’s where it’s wrong.
On 25 September 2025, a judge in Ontario ordered OVHcloud, a French company, headquartered in Roubaix, storing data on servers in France, the UK, and Australia, to hand over customer data to the Royal Canadian Mounted Police. Not through a mutual legal assistance treaty. Not through diplomatic channels. Directly.
OVHcloud’s Canadian subsidiary argued it had no technical access to the parent company’s data. France’s intelligence and economic security service, the SISSE, wrote to the court twice warning that disclosure would violate French law. The French Ministry of Justice offered to expedite the request through official channels. OVH demonstrated the data was held by a separate legal entity in a separate jurisdiction.
The judge ordered production anyway. Her reasoning: OVH has a “virtual presence” in Canada because it offers services there. That was sufficient to establish Canadian jurisdiction over data stored in France.
OVHcloud now faces criminal liability in both countries. Comply with Canada, break French law. Comply with France, face contempt in Canada. The company filed for judicial review in October 2025.
Then in June 2025, Microsoft France’s legal director testified under oath before the French Senate. Asked whether he could guarantee that French citizen data in EU data centres would not be handed to US authorities, Anton Carniaux replied: “No, I cannot guarantee that.”
This is not about the US. It is not about China. It is about any company, with any presence, in any foreign jurisdiction. The fixation on US versus China is taking everyone’s eye off the real issue: no foreign legal framework can protect European data. None.
This is post 8 of 9.
#datasovereignty #datasecurity #compliance #GDPR #dataprivacy #dataprotection #OVH
References:
The Register, “Canadian data order risks blowing a hole in EU sovereignty” (27 November 2025)
https://www.theregister.com/2025/11/27/canada_court_ovh
heise online, “Canadian Court: OVHcloud from France must hand over user data” (26 November 2025)
Canadian Privacy Law Blog, “What digital sovereignty? How a Canadian Court is forcing a French company to break French law” (December 2025)
https://blog.privacylawyer.ca/2025/12/what-digital-sovereignty-how-canadian.html
CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
The Register, “Microsoft exec admits it cannot guarantee data sovereignty” (25 July 2025)
https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee
heise online, “Not sovereign: Microsoft cannot guarantee the security of EU data” (21 July 2025)
Verified References
1. The Register, “Canadian data order risks blowing a hole in EU sovereignty” (27 November 2025)
https://www.theregister.com/2025/11/27/canada_court_ovh
2. heise online, “Canadian Court: OVHcloud from France must hand over user data” (26 November 2025)
3. Canadian Privacy Law Blog, “What digital sovereignty? How a Canadian Court is forcing a French company to break French law” (December 2025)
https://blog.privacylawyer.ca/2025/12/what-digital-sovereignty-how-canadian.html
4. CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
5. The Register, “Microsoft exec admits it cannot guarantee data sovereignty” (25 July 2025)
https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee
6. heise online, “Not sovereign: Microsoft cannot guarantee the security of EU data” (21 July 2025)
Post 9: Whose Flag Protects You? — None of Them
This series began with the US and China. It ends somewhere more uncomfortable.
A Canadian court ordered a French company to hand over European data, bypassing international treaties entirely. Microsoft’s own legal director admitted under oath that no US company can guarantee European data stays beyond the reach of US authorities. The CLOUD Act, FISA Section 702, China’s National Intelligence Law, and now a Canadian “virtual presence” doctrine, every one of them claims authority over data that European law says belongs to European data subjects.
The differences between these systems are real. China’s is the most dangerous: no oversight, no transparency, no reform mechanism. The US system has genuine constitutional constraints and a functioning, if fragile, adequacy framework. Canada’s assertion is the most alarming precisely because nobody saw it coming.
But the conclusion is the same for all of them. No flag protects you. No adequacy decision prevents a warrant from being served. No Standard Contractual Clause overrides a foreign intelligence law. No data residency guarantee survives a “virtual presence” ruling. The entire debate about which country is safer is a distraction from the only question that matters: does sensitive data leave your control?
If it does, you are relying on a foreign legal system to protect it. And as we have seen — from Washington, from Beijing, and now from Ottawa, foreign legal systems protect their own interests, not yours.
The only protection that works regardless of jurisdiction is ensuring sensitive data never reaches a provider subject to foreign government access in the first place. That means data sanitisation before information leaves your infrastructure. That means controlling what is sent, not where it is stored.
Whose flag protects you? Your own. If you take the right steps to make that mean something.
Thank you for following this series.
#datasecurity #compliance #GDPR #dataprivacy #datasovereignty #riskmanagement #cybersecurity #dataprotection
References:
ICO, Transfer Risk Assessment Guidance (updated January 2026)
CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
The Register, “Canadian data order risks blowing a hole in EU sovereignty” (27 November 2025)
https://www.theregister.com/2025/11/27/canada_court_ovh
The Register, “Microsoft exec admits it cannot guarantee data sovereignty” (25 July 2025)
https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee
Verified References
1. ICO, Transfer Risk Assessment Guidance (updated January 2026)
2. CMS Law, “Demystifying the debate on the US CLOUD Act vs European/UK Data Sovereignty” (February 2026)
3. The Register, “Canadian data order risks blowing a hole in EU sovereignty” (27 November 2025)
https://www.theregister.com/2025/11/27/canada_court_ovh
4. The Register, “Microsoft exec admits it cannot guarantee data sovereignty” (25 July 2025)
https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee
